Is there a place to store local and domain users servers and applications in the CMDB?

Paul Bloem · ‎05-31-2023

We have a SOX Compliance requirement to track the users that have access to certain applications. That list is compared to a list of approved users by our compliance team.

I'm wondering if there's a spot in the CMDB where we could keep track of these lists of users, like a class with fields for username, which application/service it has access to, what level of access it has, etc. We'd like to enhance our discovery patterns or set up data pulls from the relevant systems to automatically populate the table where possible.

Our initial thought was to track this with a field on the sys_user table, but many of these accounts are local/integration accounts that do not exist in AD and it seems like a misuse of the user table to add those for reporting purposes only. I haven't seen any CMDB tables that look correct for this use case, but want to make sure I'm not missing something OOB.

Zoso · ‎06-14-2023

Hello Paul,

Did you find anything relevant OoB?

We've made a custom table (unfortunately) to register all our external users from any systems we integrate with. I'm interested in knowing which approach you took to maintain it.

Best regards,

Paul Bloem · ‎06-14-2023

Hi Zoso,

I reached out to our account reps and they were not aware of anything for this specific purpose, but recommended investigating the IAM and PAM plugins in the ServiceNow Store to see if they might fill the need. Our current plan is to create a CI class for this purpose. I will come back here with an update if anything looks promising.

We would obviously rather have it be OOB, but we don't plan to do any automation beyond populating and reporting on this table so it's not the end of the world.

Best,
Paul

Zoso · ‎06-15-2023

Thanks for the feedback 🙂